[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problems with SSL certification on openldap 2.1.3



You can configure your clients to ignore any server security checks.
But for a little perspective on why these checks are important, consider
how Microsoft botched things in Internet Explorer:
http://www.theregus.com/content/4/25935.html

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support 

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Tony Earnshaw
> Sent: Friday, August 16, 2002 2:09 PM
> To: Eduardo Fernandes Piva
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: Problems with SSL certification on openldap 2.1.3
> 
> 
> fre, 2002-08-16 kl. 20:59 skrev Eduardo Fernandes Piva:
> 
> > TLS_CACERT /usr/share/ssl/certs/ca.cert
>  
> > Is there any way to use SSL without my clients needing to do 
> that? It's a 
> > private network and I'm using self-signed certificates.
> 
> The whole point about a CA certificate is that it MUST be available to
> the clients. Otherwise, what warranty does the client have that the
> server is who it says it is? That's what the certificate is for. It is
> from one who guarantees that the "bearer" is bonafide, like a passport
> or a driver's license.
> 
> The only certificate that the clients MUST not see, is the server's
> private key, since that's the basis for the server's encryption and
> message digests.
> 
> Openssl, as well as browsers such as Netscape, Mozilla, and MS Explorer,
> are delivered with a list of certificates from known Certificate
> Authorities. You yourself can view the browser certs in the browser
> itself. But you can't find your own self-signed CA certificate there,
> unless you import it first (which you have the choice of doing). If you
> import it, you're saying as much as "I trust the issuer".
> 
> You can't view the CA certificates in Openssl, since they're hard coded
> in - but if you compile your own Openssl, you'll see, near the end of
> the compile, a list of the built-in certs it has.
> 
> A good info site used to be the South African Thawte, but since it's
> been taken over by Verisign, it's turned into a kind of street booth.
> You could try www.rsasecurity.com - and read the PKI FAQ. You'll need
> that anyway, if you're serious about encryption :-)
> 
> Best,
> 
> Tony
> 
> 
> -- 
> 
> Tony Earnshaw
> 
> The usefulness of RTFM is vastly overrated.
> 
> e-post:		tonni@billy.demon.nl
> www:		http://www.billy.demon.nl
> gpg public key:	http://www.billy.demon.nl/tonni.armor
> 
> Telefoon:	(+31) (0)172 530428
> Mobiel:		(+31) (0)6 51153356
> 
> GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
> 3BE7B981
> 
> 
> 
> 
>